DRAFT CHEAT SHEET - WORK IN PROGRESS

Introduction

The .NET Framework

The .NET Framework is Microsoft's principal platform for line of business development. It is the supporting API for ASP.NET, Windows Desktop applications, Windows Communication Foundation services, SharePoint, Visual Studio Tools for Office and other technologies.

Updating the Framework

The .NET Framework is kept up-to-date by Microsoft with the Windows Update service. Developers do not normally need to run seperate updates to the Framework. Windows update can be accessed at http://windowsupdate.microsoft.com/ or from the Windows Update program on a Windows computer.

Individual frameworks can be kept up to date using NuGet. As Visual Studio prompts for updates, build it into your lifecycle.

.NET Framework Guidance

The .NET Framework is the set of APIs that support an advanced type system, data, graphics, network, file handling and most of the rest of what is needed to write line of business apps in the Microsoft ecosystem. It is a nearly ubiquitous library that is strong named and versioned at the assembly level.

Data Access

Use Parameterized SQL commands for all data access, without exception.

Do not use SqlCommand with a string parameter made up of a concatenated SQL String.

Whitelist allowable values coming from the user. Use enums, TryParse or lookup values to assure that the data coming from the user is as expected.

Apply the principle of least privilege when setting up the Database User in your database of choice. The database user should only be able to access items that make sense for the use case.

Use an indirect reference map. Don't allow users to see the primary key of a database row.

Encryption

Never, ever write your own encryption.

When using a hashing function, use a salt value added to the original value before hashing.

Use a strong hash algorithm.

In .NET 4.5 the strongest hashing algorithm is System.Security.Cryptography.SHA512.

XAML Guidance

Work within the constraints of Internet Zone security for your application.

Use ClickOnce deployment. For enhanced permissions, use permission elevation at runtime or trusted application deployment at install time.

Windows Forms Guidance

Use partial trust when possible. Partially trusted Windows applications make the attack surface of an application much smaller. Manage a list of what permissions your app must use, and what it may use, and then make the request for those permissions declaratively at run time.

Use ClickOnce deployment. For enhanced permissions, use permission elevation at runtime or trusted application deployment at install time.

WCF Guidance

Keep in mind that the only safe way to pass a request in RESTful services is via HTTP POST, with TLS enabled. GETs are visible in the querystring, and a lack of TLS means the body can be intercepted.

Avoid BasicHttpBinding. It has no default security configuration. Use WSHttpBinding instead.

Use at least two security modes for your binding. Message security includes security provisions in the headers. Transport security means use of SSL. TransportWithMessageCredential combines the two.